Wednesday, September 15, 2010

Testing Google Message Security SaaS

NOTE: all the vulnerabilities discussed in this article were responsible disclosed to Google back in January 2010.

While driving an initiative on 'Testing the Enterprise Security Infrastructure', I've been looking sometime at the beginning of the year to assess some SaaS (Software-as-a-Service) enterprise e-mail security solutions. Thus, I came across Google Message Security (powered by Postini). Bundled with Google Apps Premiere, you can easily get your hands on the Google e-mail security services for 50$/year - a real bargain :)

After setting my Google Apps Premiere account, there it was. From the Apps account, two Google Message Security services were available: the Security Console (Admin console) - used to manage the organization resources (domains, users, filtering rules, etc), and the Message Center - used by the end-user to manage the quarantined e-mails and filtering settings. The Message Center comes in two flavors: Message Center II is the latest version (set by default for end-users). However, the older user interface known as Message Center Classic was still accessible to an authenticated user (after tweaking the URL a bit).

The original plan was to refresh an older security test plan I used for assessing various products from Barracuda Networks and Symantec. However, I quickly realized that I got much more that I bargained for. The Google Message Security SaaS was vulnerable to various security vulnerabilities, including multiple persistent and reflected Cross-Site Scripting (XSS), improper error handling, and the most interesting of all, SQL Injection.

The extra apostrophe used for the initial test caused the following system error:

Apart of providing details on the database engine used, error type and middleware settings, the returned error confirmed the service was vulnerable to SQL Injection. Additional test cases were devised to confirm the issue.